From Roadmap to Reality: Getting Started with the First Steps of EU PQC Roadmap

The European Union’s Roadmap for Post-Quantum Cryptography

The European Union has published a clear and actionable strategy to counter the emerging threat of quantum computing through its “Coordinated Implementation Roadmap for the Transition to Post-Quantum Cryptography (PQC)”, released in June 2025.

This roadmap delivers both urgency and structure, guiding national governments, critical infrastructure providers, and enterprises to begin the transition from quantum-vulnerable cryptography to quantum-safe systems — before it’s too late.

I think the overall tone of the Recommendation on Implementation Roadmap document demonstrates unprecedented urgency for transition to post quantum cryptography compared to any other earlier recommendations or guidelines from other agencies so far.

Summary of Key Recommendations

The roadmap calls for:

• A coordinated, phased approach to PQC adoption across all EU Member States with expected timelines and recommended steps

• Protection of long-term sensitive data, especially against “store-now, decrypt-later” threats

• Early migration of high-risk systems

• Establishing cryptographic agility for future-proofing

• Engaging the supply chain and cross-border services

• Alignment with EU cybersecurity regulations, including NIS2, DORA, and CRA.

Recommended Transition Timelines

The roadmap outlines three major milestones:

• By end of 2026: Complete foundational First Steps, define national/organizational PQC transition roadmaps, and begin pilots for high- and medium-risk systems.

• By end of 2030: Implement Next Steps and complete PQC migration for all high-risk systems. Quantum-safe upgrades should be the default in software and firmware.

• By end of 2035: Complete the PQC transition for medium- and low-risk systems, wherever feasible.

Summary of First Steps and Next Steps

First Steps (by end of 2026)

These are foundational actions to help organizations build early momentum toward a secure PQC transition. They focus on:

• Stakeholder alignment and governance

• Cryptographic inventory and dependency mapping

• Quantum risk analysis

• Awareness and training initiatives

• Supply chain engagement

• High-level roadmap and transition planning

They are described as “no-regret moves” — beneficial even beyond quantum-related risks.

* Next Steps (by end of 2030)

These build on the First Steps and include:

• Enabling cryptographic agility

• Adapting certification and regulatory frameworks

• Allocating long-term resources

• Piloting and scaling PQC implementations

• Participating in testing centers and standards bodies

Deep Dive into the First Steps

The First Steps are essential for laying the groundwork for any PQC migration. All organizations need to focus on these activities in the near term. Considering the urgency of the First Steps, let us discuss them in more detail. The recommended activities of the First Steps include:

1. Identify and involve stakeholders Bring together CISOs, CTOs, risk officers, IT/security leads, and strategic partners to ensure alignment and leadership support.

2. Support cryptographic asset management Begin building a cryptographic inventory covering keys, certificates, protocols, algorithms, libraries, and tools in use.

3. Create dependency maps Map internal systems, services, and third-party dependencies to understand complexity, exposure, and migration implications.

4. Perform quantum risk analysis Classify systems by risk level based on cryptographic exposure, sensitivity of data, and difficulty of migration.

5. Include the supply chain Engage with vendors and service providers to assess their PQC readiness and incorporate them into planning efforts.

6. Create awareness and training programs Build organization-wide understanding of quantum risks through structured communication and education initiatives.

7. Share knowledge and engage Participate in forums, working groups, and cross-sector collaboration initiatives at national and EU levels.

8. Develop a roadmap and implementation plan Define goals, prioritize use cases, and establish short- and long-term transition milestones with appropriate governance.

How AvinyaSQ Ignite Starter Packs Help You Begin and Accelerate the First Steps?

The AvinyaSQ Quantum Safe Migration (QSM) Ignite Starter Packs are designed to help organizations initiate, structure, and accelerate the First Steps of the EU PQC roadmap. The Starter Packs provide the necessary clarity, tools, frameworks, and expert guidance to start confidently and make measurable progress.

* Ignite Pack 1: Strategic Foundation

This pack includes:

• Leadership workshop on quantum threats

• Quantum Readiness Scorecard (QRI)

• Half-day workshop

• Strategic Roadmap

This helps to:

→ Align stakeholders across functions and build strategic understanding of PQC risks and opportunities

→ Raise awareness across business and technical teams

→ Initiate structured planning and set early transition priorities with readiness assessment

* Ignite Pack 2: Discovery & Prioritization

This pack includes:

• All of Pack 1

• 2–3 day technical masterclass on quantum-safe migration

• High-level Quantum Risk Assessment (QRA Foundation)

• Pilot cryptographic discovery

• Initiate supply chain/vendor risk analysis

• Use case prioritization framework

This help to:

→ Begin building cryptographic inventories and mapping dependencies

→ Initiate quantum risk assessment and classification

→ Identify supply chain components with exposure and prioritize critical systems for further action

* Ignite Pack 3: Implementation Pilots

This pack includes:

• All of Pack 1 and Pack 2

• Technical readiness gap assessment

• Pilot PQC implementation in selected environments

• Governance, budgeting, and policy planning

This helps to:

→ Launch pilot PQC use cases and test early integration strategies for high-risk systems

→ Assess internal technical gaps and constraints for migration

→ Begin shaping governance, resourcing, and roadmap structures for scaling PQC adoption

Together, the Ignite Starter Packs offer a low-barrier, high-impact entry point into quantum-safe migration — enabling organizations to act early, with confidence and structure, in alignment with the 2026 milestone of EU Roadmap.

Take Action Now

Starting your quantum-safe journey today positions your organization to:

• Meet upcoming regulatory and compliance expectations

• Gain early visibility into cryptographic risks and supply chain exposure

• Avoid costly last-minute transitions and technical debt

• Demonstrate leadership in long-term cybersecurity resilience

The AvinyaSQ Ignite Starter Packs initiate the implementation of the First Steps of the EU PQC roadmap through tangible, outcome-driven engagements — helping you move from intention to informed action.

🔗 Learn more: https://avinyasq.com/qsm-ignite-starter-packs

Reach out to kickstart your quantum resiliency journey...